White hats watch as epic stuggle for domains plays out in real time.

Share this story

For a good chunk of Tuesday, website administrators at Twitter, The New York Times, and other high-profile media outlets appeared to be locked in a high-stakes battle with self-proclaimed Syrian hackers for control of their Internet domains. Just as quickly as twitter.co.uk, nytimes.com, and other domains were returned to their rightful owners, Internet records showed they'd be seized all over again and made to point to a Russian Web host known to cater to purveyors of drive-by malware exploits and other online nasties.

In between these dueling sides was Melbourne IT, an Australian domain registrar that managed the domain names not only for Twitter and the NYT, but also for The Huffington Post, which security researchers also said also experienced problems. Update: A spokesman for the company told The Australian Financial Review the outages were the result of a breach of its security. The login credentials of one of the company's resellers were compromised, allowing attackers to access servers and change settings that direct users to the correct servers.

One of the researchers following the clash was HD Moore, chief research officer of security firm Rapid7, who watched the struggle play out more or less in real time. At one point on Tuesday afternoon, his searches showed the official domain name servers for twitter.co.uk as being ns1.syrianelectronicarmy.com and ns2.syrianelectronicarmy.com. A half-hour later, the name servers had been changed back to the much more benign servers at a4.nstld.com, f4.nstld.com, g4.nstld.com, and l4.nstld.com.

The pattern repeated itself over and over, not just for the Twitter domain but for the addresses belonging to the NYT and The Huffington Post as well, he said. Compounding the turmoil was the time required for name-server changes to make their way to end users. Service providers often cache the records for high-traffic sites for as long as a day at a time. Since the name server is the mechanism that translates the human-friendly domain name into the network-routable IP address, there was no easy way for the legitimate operators to ensure their sites were available to everyone on the Internet.

"The scary thing about this is that once you've changed the DNS for the organization there's not much Twitter can do about it," Moore observed. "They have to wait to get the DNS reset to the previous value. If you watch the whois information right now, it's bouncing back and forth between the Syrian Electronic Army and The New York Times. The New York Times domains are constantly going back and forth and the SEA guys are trying to redirect the websites to a server they control."

At time of writing, both twitter.com and nytimes.com appeared to be under the control of their rightful owners, while twitter.co.uk remained unavailable. A whois search showed its name servers were still listed as ns1.syrianelectronicarmy.com and ns2.syrianelectronicarmy.com.

The fact that all of the affected domains were managed by Melbourne IT at the time that the attacks were initiated has led to speculation that the hacks are the result of some sort of breach at the Australian registrar and Web host. One possibility is that the hackers exploited a server flaw that allowed them to hijack a domain control panel that a Melbourne IT employee uses to change name-server settings and registration information. Indeed, security consultant Mark Burnett unearthed this Pastebin link, which appeared to show someone getting unauthorized terminal access to the company's servers. The more likely explanation—given the SEA's penchant for phishing attacks—is that the hackers were able to coax the log-in credentials from a privileged employee and the compromised credentials haven't been revoked yet.

Here's hoping the SNAFU gets resolved soon. The server to which the Syrian hackers' name servers are sending would-be visitors is located at the IP address 141.105.64.37—a known source of malware and phishing attacks. Someone at Melbourne IT should put out this fire promptly and then tell the rest of us exactly what's going on.

Among other things, the SEA is not actually part of the government any more than Anonymous is part of the US government. Even if they were, cutting off the internet to all the innocent civilians there is not particularly just.

Turning off the internet to a country is not actually that easy to do, especially not without cutting it off to places you don't want to cut off.

And of course, hacking a website is most certainly not on the same scale as an act of war, the proper response is not to declare war on any country that hacks us, if we did we'd be at war with basically everyone.